#
# Chroot everyone to their home directory
#
DefaultRoot ~
#
# Configure server for SSL only:
#
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
# Support both SSLv3 and TLSv1
TLSProtocol SSLv3 TLSv1
# Are clients required to use FTP over TLS when talking to this server?
# Require SSL/TLS on both channels.
TLSRequired on
# Server's certificate
TLSRSACertificateFile /etc/proftpd/server.crt
TLSRSACertificateKeyFile /etc/proftpd/server.key
# CA the server trusts
TLSCACertificateFile /etc/ssl/certs/ca.crt
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
#
# new
#
TLSOptions NoCertRequest
# TLSTimeoutHandshake 60
</IfModule>

In the end it didn't work, and I went to #proftpd on irc.freenode.net where I found castaglia (TJ Saunders) who debugged it with me and got it working.

I found that the version that currently installs on Etch (1.3.0 stable) seems to be configured for the wrong version of SSL.